git: opencrypto - remove in-kernel crypto(9) framework
Michael Neumann
mneumann at crater.dragonflybsd.org
Wed Dec 3 22:37:21 PST 2025
commit 056e2ccc0b1d87edc720e5d750b4acaeb3762613
Author: Michael Neumann <mneumann at ntecs.de>
Date: Sun Nov 9 18:30:11 2025 +0100
opencrypto - remove in-kernel crypto(9) framework
The opencrypto crypto(9) API was quite complex (8k LoC), slow and not
used by any other kernel subsystem within DragonFly anymore. It allowed
for chaining various operations, crypto ops and compression, but AFAIK
this was never really used and rather complicated. For a much simpler,
synchronous API see sys/src/crypto/cryptoapi. For a nice writeup on the
problems of crypto(9) in the context of FreeBSD, please see [1].
The opencrypto API was asynchronous by design. This was good back in the
days when dedicated hardware crypto devices did exist to help offload
the CPU. But the world has now changed towards synchronous CPU
instructions like AESNI. These dedicated CPU instructions are best
called synchronously, which removes the need for book-keeping of
asynchronous requests, often greatly simplifying the caller as well as
the API and "backend" implementation.
Furthermore, those dedicated crypto CPU instructions are not limited to
the kernel, they can be directly used by userland applications as well.
OpenSSL does that for instance (in case the CPU instruction is
supported) and as such is independent from the OS and it's crypto
interface. This further avoids context switches from userland to kernel
and vice versa. Also, userland applications can more easily be compiled
with -O3 compiler optimizations and this makes a huge different in
performance, especially when falling back to a "software" crypto
implementation.
For a much simpler and more limited, but synchronous crypto API that
both works in-kernel as well as in userland (without the need to go
through /dev/crypto device), see src/sys/crypto/cryptoapi. But usually,
you want to directly use a given block cipher without any abstraction on
top.
[1]: https://papers.freebsd.org/2022/bsdcan/baldwin-refining_freebsds_kernel_crypto_framework/
Summary of changes:
Makefile_upgrade.inc | 31 +
UPDATING | 10 +
etc/mtree/BSD.include.dist | 2 -
include/Makefile | 11 +-
share/man/man4/Makefile | 1 -
share/man/man4/aesni.4 | 95 --
share/man/man4/rndtest.4 | 6 +-
share/man/man9/Makefile | 18 -
share/man/man9/crypto.9 | 672 --------
sys/conf/files | 15 +-
sys/conf/kmod.mk | 2 +-
sys/config/LINT64 | 7 -
sys/config/X86_64_GENERIC | 1 -
sys/crypto/Makefile | 7 +-
sys/crypto/aesni/aesni.h | 7 +-
.../efi/loader/autoload.c => sys/crypto/crypto.c | 27 +-
sys/crypto/cryptoapi/cryptoapi.c | 2 +-
sys/dev/crypto/Makefile | 2 +-
sys/dev/crypto/aesni/Makefile | 7 -
sys/dev/crypto/aesni/aesni.c | 516 ------
sys/dev/crypto/aesni/aesni.h | 70 -
sys/opencrypto/cast.c | 242 ---
sys/opencrypto/cast.h | 23 -
sys/opencrypto/castsb.h | 545 -------
sys/opencrypto/criov.c | 197 ---
sys/opencrypto/crypto.c | 1651 --------------------
sys/opencrypto/cryptodev.h | 462 ------
sys/opencrypto/cryptodev_if.m | 55 -
sys/opencrypto/cryptosoft.c | 1433 -----------------
sys/opencrypto/cryptosoft.h | 69 -
sys/opencrypto/deflate.c | 174 ---
sys/opencrypto/deflate.h | 56 -
sys/opencrypto/gmac.c | 159 --
sys/opencrypto/gmac.h | 51 -
sys/opencrypto/skipjack.c | 258 ---
sys/opencrypto/skipjack.h | 19 -
sys/opencrypto/xform.c | 1099 -------------
sys/opencrypto/xform.h | 119 --
sys/platform/pc64/conf/files | 7 +-
sys/platform/vkernel64/conf/files | 4 +
sys/sys/param.h | 4 +-
41 files changed, 84 insertions(+), 8052 deletions(-)
delete mode 100644 share/man/man4/aesni.4
delete mode 100644 share/man/man9/crypto.9
copy stand/boot/efi/loader/autoload.c => sys/crypto/crypto.c (73%)
delete mode 100644 sys/dev/crypto/aesni/Makefile
delete mode 100644 sys/dev/crypto/aesni/aesni.c
delete mode 100644 sys/dev/crypto/aesni/aesni.h
delete mode 100644 sys/opencrypto/cast.c
delete mode 100644 sys/opencrypto/cast.h
delete mode 100644 sys/opencrypto/castsb.h
delete mode 100644 sys/opencrypto/criov.c
delete mode 100644 sys/opencrypto/crypto.c
delete mode 100644 sys/opencrypto/cryptodev.h
delete mode 100644 sys/opencrypto/cryptodev_if.m
delete mode 100644 sys/opencrypto/cryptosoft.c
delete mode 100644 sys/opencrypto/cryptosoft.h
delete mode 100644 sys/opencrypto/deflate.c
delete mode 100644 sys/opencrypto/deflate.h
delete mode 100644 sys/opencrypto/gmac.c
delete mode 100644 sys/opencrypto/gmac.h
delete mode 100644 sys/opencrypto/skipjack.c
delete mode 100644 sys/opencrypto/skipjack.h
delete mode 100644 sys/opencrypto/xform.c
delete mode 100644 sys/opencrypto/xform.h
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/056e2ccc0b1d87edc720e5d750b4acaeb3762613
--
DragonFly BSD source repository
More information about the Commits
mailing list